Table of Contents
The deserialization flaw allows attackers to remotely execute arbitrary codes on customers’ IIS web servers.
Hackers are exploiting a high-severity remote code execution (RCE) flaw in Cityworks deployments — a GIS-centric asset and work order management software — to execute codes on a customers’ Microsoft web servers.
In a coordinated advisory with the US Cybersecurity and Infrastructure Security Agency (CISA), Cityworks’ developer Trimble said that the vulnerability, tracked as CVE-2025-0994 with CVSS rating 8.6/10, is a severe deserialization flaw and that it is working on a fix that will be released in the next software update.
US Cities including Greeley, Baltimore County, and Newport News, along with critical utilities such as Sacramento Suburban Water District and Bay County Road Commission, depend on Cityworks for asset management. A breach could lead to service disruptions, data exposure, and public safety risks, highlighting the need for prompt patching of this vulnerability.
“On-premises customers should install the updated version immediately,” Trimble said. “These updates will be automatically applied to all Cityworks Online (CWOL) deployments.”
During their investigation after reports of suspicious activities, Trimble said it found overprivileged permissions and suspicious directory activities on a number of Cityworks deployments.
“CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” CISA said in the advisory.
Hackers performed RCE against Microsoft IIS
The hackers reportedly exploited the flaw to run codes remotely on customers’ Microsoft Internet Information Services (IIS) web servers, a software that enables web hosting on Windows-based infrastructure.
“Trimble has observed that some on-premise deployments may have overprivileged IIS identity permissions,” the company noted. “For avoidance of doubt, and in accordance with our technical documentation, IIS should not be run with local or domain level administrative privileges on any site.”
Additionally, the investigation found some deployments as having “inappropriate” attachment directory configurations. Trimble recommended limiting the attachments directory root configuration to folders and subfolders that contain only attachments.
Customers looking to update IIS identity permissions can do so by referring to the notes on Cityworks Support Portals. CWOL customers, Trimble clarified, have already received permission corrections and need not do anything.
IOCs reveal CobaltStrike beacon was used for RCE
The advisory included a list of indicators of compromise (IOCs), detailing various tools used by the threat actors for remote intrusion. Among them were WinPutty and CobaltStrike trojans, along with GoLang-based executables designed to load VShell.
Also shared were a couple of URLs attackers used for communication and control (C2) operations, established using CobaltStrike.
Microsoft Internet Information Services (IIS) web servers are a popular target for threat actors due to their potential for system takeover. Attackers exploit them to gain persistence, escalate privileges, establish command-and-control (C2) channels, and distribute malware. Last week, Microsoft warned that threat actors are targeting these servers in ViewState code injection attacks using publicly disclosed ASP.NET machine keys in an unrelated campaign.
